build(deps): bump github.com/zmap/zlint/v3 from 3.5.0 to 3.6.3 in /tools/mod

[dependabot]

Bumps github.com/zmap/zlint/v3 from 3.5.0 to 3.6.3.

Release notes

Sourced from github.com/zmap/zlint/v3's releases.

v3.6.3

ZLint v3.6.3

The ZMap team is happy to share ZLint v3.6.3.

Thank you to everyone who contributes to ZLint!

New Lints

• e_ev_invalid_business_category Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3
• e_subj_orgunit_in_ca_cert The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.
• e_subj_country_not_uppercase Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z
• e_aia_must_contain_permitted_access_method The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.
• e_aia_ocsp_must_have_http_only The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed
• e_aia_unique_access_locations When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.
• e_cabf_org_identifier_psd_vat_has_state The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.
• e_aia_ca_issuers_must_have_http_only he id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed
• e_duplicate_subject_attribs Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs
• e_ca_invalid_eku Checks that SubCA certificates do not contain forbidden values in their EKU extension
• e_empty_sct_list At least one SCT MUST be included in the SignedCertificateTimestampList extension
• e_precert_with_sct_list SCTs must be embedded in the final certificate, not in a precertificate
• e_cert_ext_invalid_der Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)
• e_crl_missing_crl_number CRL issuers conforming to this profile MUST include this extension in all CRLs
• e_sub_cert_eku_check Subscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsage
• e_invalid_cps_uri If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL
• e_crl_empty_revoked_certificates When there are no revoked certificates, the revoked certificates list MUST be absent
• e_crl_revoked_certificates_field_must_be_empty When the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structure
• e_ev_orgid_inconsistent_subj_and_ext Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent
• e_subject_rdns_correct_encoding CAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attribute

Miscellaneous

• Modified util.IsEmailProtectionCert to consider whether the certificate in question has an email SAN and whether it is an S/MIME BR certificate.
• Modifies util.IsServerAuthCert to presume that certificate with unknown key usages are server certificates.
• w_sub_cert_eku_extra_values is now ineffective as of CABF/BRs 2.0.0
• e_sub_cert_eku_server_auth_client_auth_missing is now ineffective as of CABF/BRs 2.0.0

Changelog

• 13c40b2e74b1eb715a5af57f331efcf5f2f0acdd Fix goreleaser to use the --clean flag rather than --rm-dist (#868) 015d220 Add lint to check for a valid business category in EV certificates (#830) 2440571 Add lint to check that Root CA and TLS SubCA certificates do not contain the OU subject attribute (#864) 672100d util: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866) f6d07ed Improve util.IsEmailProtectionCert function (#858) f7f6b51 Add lint to check that the countryName attribute (C) is in uppercase (#859) 24d58f9 Subscriber aia lints (#860) 04d863f cabfOrganizationIdentifier extension for VAT and PSD based organizationIdentifiers cannot have referenceStateOrProvince (#848) e5da476 Improve the util.IsServerAuthCert() function (#856) 5b73e7b Fix ExpectedDetails of passing invalid subject test (#846) 899709e Aia ca issuers must have http only (#852) ae8d594 util: gtld_map autopull updates for 2024-06-12T22:19:30 UTC (#854) b14a83b fix: Only apply CN check for Subscriber certificates (#851) bf3764c Cleanup some unnecessary allocations (#849)

... (truncated)

Commits

• 13c40b2 Fix goreleaser to use the --clean flag rather than --rm-dist (#868)
• 015d220 Add lint to check for a valid business category in EV certificates (#830)
• 2440571 Add lint to check that Root CA and TLS SubCA certificates do not contain the ...
• 672100d util: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866)
• f6d07ed Improve util.IsEmailProtectionCert function (#858)
• f7f6b51 Add lint to check that the countryName attribute (C) is in uppercase (#859)
• 24d58f9 Subscriber aia lints (#860)
• 04d863f cabfOrganizationIdentifier extension for VAT and PSD based organizationIdenti...
• e5da476 Improve the util.IsServerAuthCert() function (#856)
• 5b73e7b Fix ExpectedDetails of passing invalid subject test (#846)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign spzala for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[henrybear327]

Fully indirect, suggest closing directly.

➜  etcd git:(dependencies/08_08_24) grep -Ri "github.com/zmap/zlint/v3 v" | grep -v sum
./tools/mod/go.mod:     github.com/zmap/zlint/v3 v3.5.0 // indirect

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.